This Data Processing Addendum (“DPA”) forms part of and supplements the Merchant Agreement, Terms of Service, order form, subscription, or other agreement governing the provision of services by Layout, Inc. (“Layout,” “Processor,” “Service Provider,” “Contractor,” “we,” “us,” or “our”) to the applicable business customer (“Merchant,” “Controller,” “Business,” “you,” or “your”).
This DPA applies when Layout processes Personal Data on behalf of Merchant in connection with the Services.
If there is a conflict between this DPA and the main agreement between the parties, this DPA controls only with respect to the processing of Personal Data.
1. Purpose and Scope
This DPA governs Layout’s processing of Personal Data on behalf of Merchant in connection with the Services, including the Layout dashboard, branded mobile applications, ordering workflows, loyalty-related features, analytics, messaging features, support tools, and related platform functionality.
This DPA is intended to address applicable data protection and privacy laws that may apply to the parties’ relationship, including where applicable:
The GDPR
The UK GDPR
Applicable U.S. state privacy laws, including California law where relevant
Other applicable laws governing processor, service provider, or contractor relationships
2. Roles of the Parties
As between the parties:
Merchant is the Controller or Business with respect to Personal Data that Merchant or its end users submit to, store in, or process through the Services for Merchant’s own business purposes.
Layout is the Processor, Service Provider, or Contractor processing such Personal Data on Merchant’s behalf and only for the limited and specific purposes described in the Agreement, this DPA, and Merchant’s documented instructions.
Merchant appoints Layout to process Personal Data solely as necessary to provide, secure, maintain, support, and improve the Services in accordance with the Agreement and this DPA.
3. Nature of the Processing
Layout’s public documentation states that the platform syncs Square catalog and location data into the app and dashboard, uses Square as the source of truth for catalog, locations, and payments, and may support loyalty and gift card-related features depending on configuration.
Accordingly, Layout may process Personal Data for activities such as:
Creating and maintaining platform-side end-user accounts for users who sign up through a Layout-powered app
Facilitating app functionality, account management, loyalty display, gift card display, order history, notifications, and related customer experience features
Processing and displaying order-related and transaction-related records
Syncing, storing, caching, or deriving data needed to operate the Services
Providing merchant dashboard functionality
Supporting analytics, support, troubleshooting, reliability, fraud prevention, and security
Assisting Merchant with communications features such as push notifications and announcements
Responding to Merchant support requests
Complying with applicable law and enforcing the Agreement
4. Categories of Data Subjects
Depending on the Services used by Merchant, Layout may process Personal Data relating to:
Merchant personnel and authorized users
Merchant end users and customers
Prospective end users interacting with a Layout-powered app
Support request submitters
Other individuals whose Personal Data is submitted to or collected through the Services at Merchant’s direction
5. Categories of Personal Data
Depending on Merchant’s configuration and use of the Services, Layout may process categories of Personal Data such as:
Name
Email address
Phone number
Account identifiers
Order history
Cart, checkout, and transaction-related records
Loyalty-related information
Gift card-related information
Store or location preferences
Push notification device tokens
Support communications
Usage, analytics, and diagnostic data
Business account and dashboard activity data
Other data submitted by Merchant or Merchant’s end users through the Services
For clarity, payment card data may be processed by third-party payment providers, including Square, rather than being stored directly by Layout as part of its normal service model. Layout’s public documentation states that payments are processed through Square and funds and reporting stay in the merchant’s Square account.
6. Merchant Instructions
Merchant instructs Layout to process Personal Data only:
To provide the Services
To perform under the Agreement and this DPA
On Merchant’s documented instructions
As required by applicable law
As necessary to detect, prevent, or address fraud, abuse, security incidents, or technical issues
As necessary to maintain, support, secure, and improve the Services in a manner consistent with applicable law and the Agreement
Layout will inform Merchant if, in Layout’s opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so.
7. Merchant Obligations
Merchant represents, warrants, and agrees that:
Merchant has all rights and permissions necessary to provide Personal Data to Layout for processing
Merchant will comply with applicable data protection and privacy laws
Merchant will provide any required privacy notices to end users and customers
Merchant will obtain any required consents or permissions
Merchant’s instructions to Layout will be lawful
Merchant is responsible for the accuracy, quality, and legality of the Personal Data and the means by which Merchant acquired it
Merchant remains responsible for its own relationship with its end users and customers, including its own privacy notices, promotions, communications, and business practices.
8. Confidentiality
Layout will ensure that any person authorized to process Personal Data is subject to an appropriate duty of confidentiality, whether contractual, statutory, or otherwise.
Layout will ensure that access to Personal Data is limited to personnel, contractors, and subprocessors who need such access for the purposes of providing the Services and who are bound by appropriate confidentiality obligations.
9. Security Measures
GDPR Article 28 requires that processors provide sufficient guarantees to implement appropriate technical and organizational measures, and processor contracts must require confidentiality, security, and assistance obligations.
Layout will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Those measures may include, as appropriate:
Access controls
Authentication requirements
Tenant and company scoping
Network and infrastructure protections
Encrypted transmission
Logging and monitoring
Backup and resilience practices
Webhook or request verification where applicable
Role-based permissions
Operational controls designed to prevent unauthorized cross-tenant access
Layout’s public documentation states that the platform uses tenant-scoped access and secure per-tenant Square connections, with webhook verification and per-company scoping.
10. Subprocessors
Merchant grants Layout general authorization to engage subprocessors to assist in providing the Services.
Layout will:
Impose data protection obligations on subprocessors that are no less protective than those set out in this DPA, as applicable to the services performed by the subprocessor
Remain responsible for the acts and omissions of subprocessors to the extent required by applicable law and the Agreement
Maintain a public subprocessor list or otherwise make subprocessor information available
Layout maintains a public subprocessor page at layoutmobile.com/subprocessors.
If Merchant reasonably objects to a new subprocessor on legitimate data protection grounds, the parties will work in good faith to address the concern. If no reasonable resolution is available, Merchant’s sole remedy will be to stop using the affected portion of the Services or terminate the applicable Services, subject to the Agreement.
11. Assistance With Data Subject Requests
Taking into account the nature of the processing, Layout will provide reasonable assistance to Merchant, through appropriate technical and organizational measures where feasible, to help Merchant respond to requests from data subjects seeking to exercise their rights under applicable law.
Because Layout often acts only as a processor or service provider for Merchant data, Merchant remains responsible for receiving, validating, and responding to data subject requests unless otherwise agreed in writing.
12. Assistance With Compliance
Taking into account the nature of processing and the information available to Layout, Layout will provide reasonable assistance to Merchant in connection with Merchant’s compliance obligations under applicable law, including where applicable obligations relating to:
Security of processing
Personal data breach notification
Data protection impact assessments
Consultation with supervisory authorities
The ICO’s guidance on processor contracts states that these are among the Article 28 obligations a processor must support through the contract.
13. Personal Data Breach Notification
If Layout becomes aware of a confirmed Personal Data Breach affecting Personal Data processed on behalf of Merchant, Layout will notify Merchant without undue delay after becoming aware of the breach.
Such notice may include, to the extent known and reasonably available:
A description of the nature of the breach
The categories of data involved
The likely consequences of the breach
Measures taken or proposed to address the breach
Any other information reasonably necessary for Merchant to meet its legal obligations
Layout’s obligation to notify Merchant does not constitute an admission of fault or liability.
14. Deletion and Return of Data
GDPR Article 28 contract terms require the processor, at the controller’s choice, to delete or return personal data at the end of the engagement unless retention is required by law.
Upon termination or expiration of the Services, Layout will, at Merchant’s choice and subject to the Agreement, applicable law, and technical limitations:
Delete Personal Data
or
Return Personal Data in a reasonable format where feasible
Notwithstanding the foregoing, Layout may retain Personal Data:
As required by applicable law
For legitimate backup, archival, security, fraud prevention, dispute resolution, tax, accounting, or audit purposes
Where deletion is not technically feasible in immediately accessible backups, provided such retained data remains protected and is not used for any other purpose
15. Audits and Information Rights
To the extent required by applicable law, Layout will make available to Merchant information reasonably necessary to demonstrate compliance with this DPA.
If such information is not sufficient under applicable law, Merchant may request a reasonable audit of Layout’s relevant processing activities, subject to the following:
Merchant must provide reasonable prior written notice
The audit must be limited in scope to information relevant to Merchant’s compliance needs
The audit must occur no more than once per twelve-month period unless required by law or following a confirmed material Personal Data Breach
The audit must not unreasonably interfere with Layout’s business operations
Merchant must bear its own costs and reimburse Layout’s reasonable costs where permitted
Any auditor must be subject to appropriate confidentiality obligations
Layout may satisfy audit obligations through existing certifications, summaries, reports, questionnaires, or similar materials where appropriate
16. International Transfers
If Layout processes Personal Data subject to the GDPR, UK GDPR, or similar laws in a country not recognized as providing an adequate level of protection, the parties will cooperate in good faith to implement an appropriate transfer mechanism where required by law.
The European Commission states that its 2021 Standard Contractual Clauses can be used to satisfy both Article 28 processor-contract requirements and international transfer requirements when the relevant modules are used.
If needed, the parties may incorporate:
The European Commission’s Standard Contractual Clauses
The UK International Data Transfer Addendum or other approved UK transfer mechanism
Any successor mechanism recognized under applicable law
17. California Service Provider and Contractor Terms
To the extent California law applies and Layout processes Personal Data for Merchant as a service provider or contractor:
Layout will not sell or share Personal Data received from Merchant
Layout will not retain, use, or disclose such Personal Data for any purpose other than the limited and specified purposes described in the Agreement and this DPA, except as permitted by applicable law
Layout will not retain, use, or disclose such Personal Data outside of the direct business relationship between Layout and Merchant except as permitted by applicable law
Layout will comply with applicable obligations imposed on service providers and contractors under California law
Layout will provide the same level of privacy protection required by applicable California law
Merchant has the right to take reasonable and appropriate steps to help ensure Layout uses the Personal Data in a manner consistent with Merchant’s obligations under California law
Layout will notify Merchant if Layout determines it can no longer meet its obligations under applicable California law
Nothing in this DPA prevents Layout from using data in a manner permitted by applicable law, including using de-identified or aggregated information where lawful.
18. De-Identified and Aggregated Data
Nothing in this DPA prohibits Layout from generating, using, or disclosing aggregated, anonymized, or de-identified information that does not identify Merchant or any individual, provided such information is maintained in accordance with applicable law.
19. Limitation of Liability
The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement, to the extent permitted by applicable law.
20. Order of Precedence
If there is a conflict between this DPA and the Agreement, this DPA controls only with respect to the subject matter of this DPA.
If the parties execute Standard Contractual Clauses or another transfer mechanism and there is a conflict between that transfer mechanism and this DPA, the transfer mechanism will control to the extent of that conflict.
21. Governing Law
This DPA will be governed by the governing law provisions set out in the Agreement, unless applicable data protection law requires otherwise.
22. Contact
If you have questions about this DPA, you may contact:
Layout, Inc.